I want to create a filter that has more than one condition and therefore avoid creating the same filter for all possibilities again and again. An example: I want the IF condition to apply when the field "method" contains one of these values: "reply", "reply[A]", "reply[AAAA]".
My last attempt looks like this:
if [method] == ["reply", "reply[A]", "reply[AAA]"] {
grok {...
but it doesn't seem to work.
In another filter, I would like to query wether the tag content is stored in a local text file, delimited for example by newline or comma. Is that possible, and if so, how?
I solved it in the meantime, found a similar approach:
if [method] =~ /^repl*/ {mutate { ...
More examples like the one you provided would be great in the documentation.
I am now trying to solve the "look for the string in a file" question.
My approach so far is to use "translate" and "csv", and add a tag or field when the string is found. But for sure there is a more elegant approach?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.